[ZBX-16521] Permission denied with zabbix_get and from server and not on zabbix_agentd Created: 2019 Aug 15  Updated: 2019 Aug 15  Resolved: 2019 Aug 15

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Incident report Priority: Trivial
Reporter: Mohamed Cherkaoui Assignee: Edgar Akhmetshin
Resolution: Won't fix Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File Capture d’écran 2019-08-15 à 12.46.41.png    

 Description   

Actual problem (see also attachment)

[root@localhost ~]# zabbix_agentd -t pgsql.connections.sum["localhost","5432","odoo","postgres"]
pgsql.connections.sum[localhost,5432,odoo,postgres] [t|{"active":1,"idle":4,"idle_in_transaction":0,"total":5,"total_pct":5,"waiting":0,"prepared":0}]


[root@localhost ~]# zabbix_get -s localhost -k pgsql.connections.sum["localhost","5432","odoo","postgres"]
/var/lib/zabbix/postgresql/pgsql.connections.sum.sql : Permission non accordée

Versions of zabix_get and zzabix_agentd on CentOS :

[root@localhost ~]# zabbix_get --version
zabbix_get (Zabbix) 4.2.5
Revision 2c0e4d1d39 29 July 2019, compilation time: Jul 29 2019 15:51:30

Copyright (C) 2019 Zabbix SIA
License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it according to
the license. There is NO WARRANTY, to the extent permitted by law.

This product includes software developed by the OpenSSL Project
for use in the OpenSSL Toolkit (http://www.openssl.org/).

Compiled with OpenSSL 1.0.1e-fips 11 Feb 2013
Running with OpenSSL 1.0.1e-fips 11 Feb 2013
[root@localhost ~]# zabbix_agentd --version
zabbix_agentd (daemon) (Zabbix) 4.2.5
Revision 2c0e4d1d39 29 July 2019, compilation time: Jul 29 2019 15:51:30

Copyright (C) 2019 Zabbix SIA
License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it according to
the license. There is NO WARRANTY, to the extent permitted by law.

This product includes software developed by the OpenSSL Project
for use in the OpenSSL Toolkit (http://www.openssl.org/).

Compiled with OpenSSL 1.0.1e-fips 11 Feb 2013
Running with OpenSSL 1.0.1e-fips 11 Feb 2013

Version of the server (Debian 9) :

root@vpsXXXX:~# zabbix_server --version
zabbix_server (Zabbix) 4.2.5
Revision 2c0e4d1d39 29 July 2019, compilation time: Jul 29 2019 08:10:51

Copyright (C) 2019 Zabbix SIA
License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it according to
the license. There is NO WARRANTY, to the extent permitted by law.

This product includes software developed by the OpenSSL Project
for use in the OpenSSL Toolkit (http://www.openssl.org/).

Compiled with OpenSSL 1.1.0f 25 May 2017
Running with OpenSSL 1.1.0k 28 May 2019

Version of CentOS 

CentOS Linux release 7.6.1810 (Core)
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

CentOS Linux release 7.6.1810 (Core)
CentOS Linux release 7.6.1810 (Core)

Tried Solutions :

  1. Add zabbix to sudoers (Execute ALL)
  2. add zabbix to root group
  3. give all access to the directory  /var/lib/zabbix/postgresql
  4. Allowroot on configuration file doesn't work

 Comments   
Comment by Alexey Pustovalov [ 2019 Aug 15 ]

Please try this one command from the host side:

sudo -uzabbix zabbix_agentd -t pgsql.connections.sum["localhost","5432","odoo","postgres"]

when you use "zabbix_agentd -t" only, it uses your user permissions.

Comment by Mohamed Cherkaoui [ 2019 Aug 15 ]

@dotneft

[root@localhost ~]# sudo -uzabbix zabbix_agentd -t pgsql.connections.sum["localhost","5432","odoo","postgres"]
pgsql.connections.sum[localhost,5432,odoo,postgres] [t|{"active":1,"idle":4,"idle_in_transaction":0,"total":5,"total_pct":5,"waiting":0,"prepared":0}]
[root@localhost ~]# ps aux | grep zabbix
root 10614 0.0 0.0 107992 616 pts/0 S+ 13:13 0:00 tail -f /var/log/zabbix/zabbix_agentd.log
zabbix 11873 0.0 0.0 80864 1276 ? S 13:30 0:00 /usr/sbin/zabbix_agentd -c /etc/zabbix/zabbix_agentd.conf
zabbix 11875 0.0 0.0 80864 1320 ? S 13:30 0:00 /usr/sbin/zabbix_agentd: collector [idle 1 sec]
zabbix 11876 0.0 0.1 80864 2004 ? S 13:30 0:00 /usr/sbin/zabbix_agentd: listener #1 [waiting for connection]
zabbix 11877 0.0 0.1 80864 2004 ? S 13:30 0:00 /usr/sbin/zabbix_agentd: listener #2 [waiting for connection]
zabbix 11878 0.0 0.1 80864 2004 ? S 13:30 0:00 /usr/sbin/zabbix_agentd: listener #3 [waiting for connection]
zabbix 11879 0.1 0.1 81000 2336 ? S 13:30 0:00 /usr/sbin/zabbix_agentd: active checks #1 [idle 1 sec]
root 11940 0.0 0.0 112728 984 pts/1 S+ 13:31 0:00 grep --color=auto zabbix

 11879:20190815:133220.719 EXECUTE_STR() command:' psql -qtAX -h 127.0.0.1 -p 5432 -U odoo -d postgres -f "/var/lib/zabbix/postgresql/pgsql.connections.sum.sql"' len:79 cmd_result:'/var/lib/zabbix/post'
11879:20190815:133220.719 for key [pgsql.connections.sum["127.0.0.1","5432","odoo","postgres"]] received value [/var/lib/zabbix/postgresql/pgsql.connections.sum.sql : Permission non accordée]
11879:20190815:133220.719 In process_value() key:'CentOS:pgsql.connections.sum["{$PG.HOST}","{$PG.PORT}","{$PG.USER}","{$PG.DB}"]' lastlogsize:null value:'/var/lib/zabbix/postgresql/pgsql.connections.sum.sql : Permission non accordée'
11879:20190815:133220.719 buffer: new element 0
11879:20190815:133220.719 End of process_value():SUCCEED
11879:20190815:133220.719 In need_meta_update() key:pgsql.connections.sum["127.0.0.1","5432","odoo","postgres"]
11879:20190815:133220.719 End of need_meta_update():FAIL
11879:20190815:133220.719 In send_buffer() host:'51.254.222.13' port:10051 entries:1/100
11879:20190815:133220.759 JSON before sending [{"request":"agent data","session":"55a81bd4887042d94e9863040fa8afc8","data":[{"host":"CentOS","key":"pgsql.connections.sum[\"{$PG.HOST}\",\"{$PG.PORT}\",\"{$PG.USER}\",\"{$PG.DB}\"]","value":"/var/lib/zabbix/postgresql/pgsql.connections.sum.sql : Permission non accordée","id":15,"clock":1565868740,"ns":719237004}],"clock":1565868740,"ns":759024378}]
11879:20190815:133220.788 JSON back [{"response":"success","info":"processed: 1; failed: 0; total: 1; seconds spent: 0.000087"}]
11879:20190815:133220.788 In check_response() response:'{"response":"success","info":"processed: 1; failed: 0; total: 1; seconds spent: 0.000087"}'
11879:20190815:133220.788 info from server: 'processed: 1; failed: 0; total: 1; seconds spent: 0.000087'
11879:20190815:133220.788 End of check_response():SUCCEED
Comment by Alexey Pustovalov [ 2019 Aug 15 ]

Is SELinux enabled? Please check /var/log/audit/audit.log.

Comment by Mohamed Cherkaoui [ 2019 Aug 15 ]

Yes

[root@localhost ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31er

 
Using the command setenforce 0 I can now getting values
So, the problem not related to Zabbix or Should I configure something to work on with Security Enabled ? because I should not disable that on our machine

Thanks

Comment by Edgar Akhmetshin [ 2019 Aug 15 ]

Hello Mohamed,

Quite often you need to run "audit2allow -M" command multiple times. Example with errors related to the example checks:

  1. check SELinux for the deny records (read is not allowed): 
    # grep zabbix_agent /var/log/audit/audit.log
type=AVC msg=audit(1487096344.185:114): avc:  denied  { read } for  pid=3783 comm="zabbix_agentd" name="feat_s3scan_monitor.log" dev="xvda2" ino=6130 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file
  2. generate a module package and install it: 
    # grep zabbix_agent /var/log/audit/audit.log | audit2allow -M zabbix_agent_add
semodule -i zabbix_agent_add.pp
  3. wait for 10 minutes - Zabbix server will check not supported items every 10 minutes
  4. check agent's log file for the new errors: 
    # grep feat_s3scan /var/log/zabbix/zabbix_agentd.log
  2706:20170214:164838.703 active check "log[/var/log/feat_s3scan_monitor.log,"ERROR",,5,skip]" is not supported: Cannot open file "/var/log/feat_s3scan_monitor.log": [13] Permission denied
  5. check SELinux for the deny records: 
    # grep zabbix_agent /var/log/audit/audit.log
type=AVC msg=audit(1487097798.364:82): avc:  denied  { open } for  pid=2707 comm="zabbix_agentd" path="/var/log/feat_s3scan_monitor.log" dev="xvda2" ino=6130 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file
  6. update the module package and install it: 
    # grep zabbix_agent /var/log/audit/audit.log | audit2allow -M zabbix_agent_add
semodule -i zabbix_agent_add.pp
  7. repeat No. 3-7 steps

Please be advised that this section of the tracker is for bug reports only. The case you have submitted can not be qualified as one, so please reach out to [email protected] for commercial support or consultancy services. Alternatively, you can also use our IRC channel or community forum (https://www.zabbix.com/forum) for assistance. With that said, we are closing this ticket. Thank you for understanding.

Regards,
Edgar

Comment by Mohamed Cherkaoui [ 2019 Aug 15 ]

Thank you, it's very helpful
At first look, it looked as a Bug

Regards.

Generated at Thu Jun 19 08:04:05 EEST 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.